Privacy Policy

Effective Date: April 23, 2026 Document Version: 1.0 — Pilot

About this Privacy Policy

This Privacy Policy describes how Flowtel, Inc. ("Flowtel," "we," "our," or "us"), a Delaware corporation with its principal place of business at 2301, 8 10th Street, San Francisco, CA, USA, collects, uses, and shares personal data in connection with the Flowtel platform (the "Services").

Flowtel is currently in design-partner phase. This Privacy Policy describes Flowtel's privacy practices today. A more detailed Privacy Notice will be published before Flowtel moves to general availability and paid subscriptions.

For questions about this Privacy Policy or your personal data, contact privacy@flowtel.ai.

1. Roles

When Flowtel processes personal data of an End User (e.g., a guest who calls a hotel using Flowtel) on behalf of a hotel customer of Flowtel ("Property"):

• The Property is the data controller (or "business" under the CCPA/CPRA) and determines the purposes and means of processing End User personal data.
• Flowtel is the data processor (or "service provider") and processes End User personal data only to provide the Services to the Property and as instructed by the Property.

When Flowtel collects personal data directly from website visitors, prospects, or Property administrators (e.g., via flowtel.ai contact forms or design-partner agreements), Flowtel acts as the data controller for that data.

2. What we collect

End User personal data (processor role): - Phone number, name, email, country, language, and reservation details captured from inbound calls - Audio recordings and text transcripts of calls - Loyalty membership identifiers, when applicable

Property administrator personal data (controller role): - Name, business email, role, phone number - Service configuration details

Website / prospect data (controller role): - Information voluntarily submitted via contact or design-partner forms - Standard server log information (IP, user-agent) for security and abuse prevention

3. Why we process data

• To provide the Services as agreed with the Property
• To recognize returning End Users by phone number, retrieve guest profile from the connected PMS, quote pricing, and execute booking actions on the Property's behalf
• To monitor, troubleshoot, and improve the Services
• To respond to support and partnership inquiries
• To comply with legal obligations and enforce our Pilot Terms of Service

4. AI processing and call recordings

• Calls handled by the Services may be recorded and transcribed for the purposes of providing, monitoring, and improving the Services and for compliance and dispute resolution.
• Flowtel's voice agent is designed to identify itself as an AI to End Users at the start of each interaction.
• Flowtel does not use Customer-identifiable call audio, transcripts, or End User personal data to train foundation models operated by third parties. De-identified, aggregated data may be used to improve and develop Flowtel's internal models.

5. How we share data

We share personal data only with: - The connected property management system (e.g., Mews) as necessary to provide the Services - Sub-processors that support our infrastructure (e.g., cloud hosting, telephony, language-model providers, transcription). A current sub-processor list is available on request to privacy@flowtel.ai. - Legal, regulatory, or law-enforcement authorities where required by applicable law

We do not sell personal data, and we do not "Share" Personal Information for cross-context behavioral advertising as defined under CCPA/CPRA.

6. Data retention

End User personal data is retained for the duration of the Property's pilot and for up to 60 days thereafter for backup, audit, and Customer-initiated export purposes, after which it is deleted in accordance with Flowtel's data retention policy or earlier upon written request from the Property.

Website / prospect data is retained for the period required to respond to the inquiry and to maintain reasonable business records.

7. Security

Flowtel implements administrative, physical, and technical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These safeguards will be expanded (including SOC 2 Type II coverage and a published security overview) as Flowtel moves toward general availability.

8. International transfers

Flowtel is a U.S. company with hosting infrastructure in the United States. Where personal data of EU/UK/Swiss data subjects is processed, Flowtel will execute a Data Processing Addendum incorporating standard contractual clauses prior to processing, and will not onboard EU-located properties as design partners until that DPA is signed.

9. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing.

• For End Users: please contact the Property you interacted with first; the Property is the controller. Flowtel will support the Property in responding to your request.
• For website visitors and direct contacts: write to privacy@flowtel.ai.

10. CCPA/CPRA notice

For California residents, Flowtel acts as a Service Provider with respect to End User personal information. Flowtel does not Sell or Share Personal Information and does not retain, use, or disclose Personal Information for any purpose other than to provide the Services.

11. Children

The Services are intended for hotel operations and are not directed to children under the age of 16. Flowtel does not knowingly collect personal data from children.

12. Changes to this Privacy Policy

Flowtel may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Services with reasonable advance notice.

Contact

Flowtel, Inc. 2301, 8 10th Street, San Francisco, CA, USA Privacy: privacy@flowtel.ai Legal: legal@flowtel.ai Support: support@flowtel.ai